Solved: Using Results from Subquery

hfalkmeyer · ‎06-08-2017

We are feeding logs from a messaging middleware into our Splunk installation. Input and output logs for this middleware are respectively being stored with sourcetype flags app_input and app_output, with each app_input/app_output pair containing a common, alphanumeric transactionid contained in square brackets. We're trying to build a single line search that will result in a listing of ALL I/O log pairs for which either the app_input or app_output contains a specified string.

Attempting to solve this, we started with sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]\". Now, we'd like the search to continue using each extracted transactionid.

We've tried queries w. subqueries along the lines of sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query and others without luck.

Any assistance would be greatly appreciated.

Thank you in advance,

Harold Falkmeyer

cmerriman · ‎06-08-2017

for this subsearch, try something like this:

sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query|table query|format]

as long as query is in your sourcetype=app_*. your subsearch needs to end with a field name that is in the base search.

View solution in original post

cmerriman · ‎06-08-2017

for this subsearch, try something like this:

sourcetype=app_* [ search sourcetype=app_* some_search | rex "\[(?<transactionid>[A-Za-z0-9]+)\]" | rename transactionid as query|table query|format]

as long as query is in your sourcetype=app_*. your subsearch needs to end with a field name that is in the base search.

hfalkmeyer · ‎06-08-2017

Worked like a charm. The missing component from my attempts was the table query. Thank you VERY much!!

Using Results from Subquery

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life